It’s in the wp-settings.php file and it usually has a series of blank spaces before it. You’ll find it right before the legitimate line of code:

do_action( 'init' );

This needs to be removed and you need to update all of your timthumb.php and thumb.php files. Then you’ll also have to scan your websites for backdoors.

Remember that if your WordPress site is hosted in a hosting account with many other websites in the same account, the backdoor can be in all or any of the other websites. You need to scan and clean them all.

If you need help in finding and removing this, please send us an email at: support@wewatchyourwebsite.com